Creating a new policy: permitted locations

[Akshay-a-j]

Hello,
I have couple of questions.

1. Is there a streamlined approach to creating a new policy, such as one that utilizes participant ID instead of a time interval, that can be implemented through the frontend UI or Postman?

2. Whenever I modify the backend, the changes don't seem to reflect in the frontend UI. Is it necessary to rebuild the entire project and recreate the Docker images to see these changes?

Thank you

[tmberthold]

Hello, what exactly is meant by "Whenever I modify the backend, the changes don't seem to reflect in the frontend UI"? If the backend is modified and rebuilt, the changes will only be present in the backend. If adjustments are made to the UI and the UI is rebuilt, the changes are visible in the UI. For the interaction between the two, for our UI we use an API wrapper for API calls located in this repo, so changes to the API would have to be made there, for example. What exactly were you trying to change?

[Akshay-a-j]

Hi @tmberthold,

I am trying to add a new policy to the existing mechanism. Please find below the procedure I followed:

1. I added the necessary code files to the existing repo.
2. Rebuild the docker image (dockerfile under launchers folder)
   using the command: "docker build --no-cache -t my-custom-edc:latest ."
3. Rerun docker compose up command

But I see the following when I run docker compose up command:

✔ Container edc-extensions-postgresql-1    Running                                                                0.0s
 ✔ Container edc-extensions-postgresql2-1   Running                                                                0.0s
 ✔ Container edc-extensions-edc-1           Recreated                                                              0.1s
 ✔ Container edc-extensions-test-backend-1  Created                                                                0.0s
 ✔ Container edc-extensions-edc-ui2-1       Created                                                                0.0s
 ✔ Container edc-extensions-edc2-1          Recreated                                                              0.1s
 ✔ Container edc-extensions-edc-ui-1        Created                                                                0.0s

and

edc-extensions-edc-1 exited with code 255
edc-extensions-edc2-1 exited with code 255

When I checked the log details using "docker logs edc-extensions-edc-1" command, I see the following error:

[024-01-08 05:41:37 Configuration file does not exist: dataspaceconnector-configuration.properties. Ignoring.
2024-01-08 05:41:37 Initialized FS Configuration
2024-01-08 05:41:38 Initialized Boot Services
2024-01-08 05:41:38 Initialized JSON-LD Extension
2024-01-08 05:41:38 Error booting runtime: Key store does not exist: dataspaceconnector-keystore.jks
org.eclipse.edc.spi.EdcException: Key store does not exist: dataspaceconnector-keystore.jks
        at org.eclipse.edc.vault.filesystem.FsVaultExtension.loadKeyStore(FsVaultExtension.java:80)
        at org.eclipse.edc.vault.filesystem.FsVaultExtension.initialize(FsVaultExtension.java:56)
        at org.eclipse.edc.boot.system.injection.lifecycle.InitializePhase.initialize(InitializePhase.java:37)
        at org.eclipse.edc.boot.system.injection.lifecycle.ExtensionLifecycleManager.initialize(ExtensionLifecycleManager.java:61)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Unknown Source)
        at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
        at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
        at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
        at org.eclipse.edc.boot.system.ExtensionLoader.bootServiceExtensions(ExtensionLoader.java:67)
        at org.eclipse.edc.boot.system.runtime.BaseRuntime.bootExtensions(BaseRuntime.java:141)
        at org.eclipse.edc.boot.system.runtime.BaseRuntime.boot(BaseRuntime.java:202)
        at org.eclipse.edc.boot.system.runtime.BaseRuntime.boot(BaseRuntime.java:84)
        at org.eclipse.edc.boot.system.runtime.BaseRuntime.main(BaseRuntime.java:72)]

But I don't see "dataspaceconnector-configuration.properties" and "dataspaceconnector-keystore.jks" files in this repository. So, I am doubting if the procedure I followed is correct or not. Could you please look into this issue?

[tmberthold]

Hi, by this our standard EDC CE is built, which requires a connection to a DAPS/IAM and therefore also a valid connector certificate. Since this certificate in a JKS is unique per connector and is issued by the operator of the DAPS/IAM solution, we of course do not provide one within the repo. If the EDC is then started up without a certificate, it will complain accordingly.

You could try swapping the connector version in the dockerfile so that the dev version is used, which comes with an IAM-mock and does not rely on a connector certificate, but should not be used productively either. This IAM-mock variant is called "sovity-dev".
https://github.com/sovity/edc-extensions/blob/eedbe5d9cc7da893e564013fac4933ab00e52653/launchers/Dockerfile#L12C21-L12C30

[Akshay-a-j]

Thank you @tmberthold. It is working now. However, I've observed that the 'Connector-Restricted-Usage' policy isn't operating correctly. Whenever I create a contract definition (provider-connector) and include the 'Connector-Restricted-Usage' policy, it's not visible in the consumer-connector catalog browser. Could you please verify if this is an issue? If it is, would you mind investigating further?

[tmberthold]

You would have to add a Policy e.g. like so using the "my-edc" Connector:

and a Contract Definition with e.g. the following combination (replace the contract policy name with your choice from step 1):

Then the offer should be visible in the "my-edc2" Connector and the connector should be allowed to negotiate a contract.

Nevertheless, the contract negotiation that then would follow does not currently work in combination with the Connector-Restricted-Policy. We'll take a look at that.

[tmberthold]

I've created an Issue for it, we will further investigate the use of the Connector-Restricted-Policy. Thank you for reporting!
#721

[Akshay-a-j]

I'm interested in developing a custom policy to verify if the consumer's location is included in a predetermined list of permitted locations. Could you kindly provide me with a basic guide on how to do this?

[tmberthold]

Theory: I imagine it would be difficult as of now because, based on my knowledge, there is simply no information about where in which town/country a connector is running. There are also CaaS providers like us, then the connector runs in Germany, but the company that is assigned to the CaaS may be abroad. What would first be needed here is a mechanism by which a connector can provide the information and how it can be set (connector properties?) about where and in which location/country it is running. Only when you know how this information can be stored for a connector and how you can get this information in the event of a contract negotiation in the next step, then you can start implementing a policy, which checks whether a connector is on a list of approved countries.

[Akshay-a-j]

Hello @tmberthold,
I tried to transfer a file that had a "Connector-Restricted-Usage" policy attached, using the most recent version (v7.2.0) of the edc-extension. However, when initiating a contract negotiation from the consumer connector, the negotiation process failed and resulted in an error. Could you investigate this matter?

Error:
ContractNegotiation: ID a2039542-9d9d-439b-893f-009e3b0da9c1. Fatal error while [Consumer] Send ContractRequestMessage message. Error details: {"@type":"dspace:ContractNegotiationError","dspace:code":"400","dspace:reason":"Contract offer is not valid: Policy Conn_res_policy not fulfilled","@context":{"dct":"https://purl.org/dc/terms/","edc":"https://w3id.org/edc/v0.0.1/ns/","dcat":"https://www.w3.org/ns/dcat/","odrl":"http://www.w3.org/ns/odrl/2/","dspace":"https://w3id.org/dspace/v0.8/"}}

[tmberthold]

Hi, core-edc is currently as of today working on improving that specific error-message: Link.

It currently only says ContractNegotiationError: Contract offer is not valid: Policy Conn_res_policy not fulfilled without going into details, why the policy was not fullfilled.

This message pops up when the provider validates the initial consumer offer, specifically the contract policy. For some reason, your consumer does not seem to meet the policy-conditions for further negotiating the contract, which is why the provider rejects the consumers request.

[Akshay-a-j]

I've ensured that all the inputs provided were accurate while creating the asset, policy, and contract definitions. Do you have any suggestions for resolving this issue?

[tmberthold]

Hi - if you use the dev-variant, the policy you are trying to use is not fully supported there because of the used IAM-Mock. For the technical details on how it works, here is the readme: https://github.com/sovity/edc-extensions/blob/main/extensions/policy-referring-connector/README.md